Download presentation
Presentation is loading. Please wait.
1
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University
2
Model Checking Given a: Finite transition system M(S, I, A temporal property The model checking problem: Does M satisfy
3
Model Checking Temporal properties: “Always x=y ” (G( x=y )) “Every Send is followed by Ack ” (G( Send F A ck )) “ Reset can always be reached” (GF Reset ) “From some point on, always switch_on” (FG switch_on) “Safety” properties “Liveness” properties
4
Advances in Model Checking Explicit model checking (1980 – ) Symbolic Model Checking with Binary Decision Diagrams (1991 – ) Symbolic Bounded Model Checking with SAT solvers (1999 –)
5
Bounded Model Checking A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties: can we find a bad state in k steps? Verification: can we find a counterexample in k steps ? (Biere, Cimatti, Clarke, Zhu, 1999)
6
Bounded Model Checking Most safety properties can be reduced to “Always p” where p is propositional. Is there a state reachable within k cycles that satisfies p ?... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p
7
Reducing the BMC problem to SAT p is preserved up to cycle k iff (k) is unsatisfiable:... s0s0 s1s1 s2s2 s k-1 sksk pp p pp p
8
Example: a two bit counter Property: Always ( l r). 00 01 10 11 (2) is unsatisfiable. (3) is satisfiable. Initial state: Transition:
9
Bounded Model Checking All Linear-time Temporal Logic (LTL) can be checked with BMC BMC can be applied to software, e.g. C programs (Kroening, Clarke, 2002): Unwind each loop k times Represent in Single Assignment Form (SAF) Solve the resulting bit-vector verification condition
10
Bounded Model-Checking of software while() loops are unwinded void f(...) {... cond while(cond) { Body; Body; } Rest; } void f(...) {... cond while(cond) { Body; Body; } Rest; }
11
Bounded Model-Checking of software while() loops are unwinded void f(...) {... cond if(cond) { Body; cond while(cond) { Body; Body; } Rest; } void f(...) {... cond if(cond) { Body; cond while(cond) { Body; Body; } Rest; }
12
Bounded Model-Checking of software while() loops are unwinded void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond while(cond) { Body; Body; } Rest; } void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond while(cond) { Body; Body; } Rest; }
13
Bounded Model-Checking of software while() loops are unwinded iteratively Assertion may be inserted after last iteration: violated if program runs longer than bound permits void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond if(cond) { Body; Body; cond while(cond) { Body; Body; } Rest; } void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond if(cond) { Body; Body; cond while(cond) { Body; Body; } Rest; }
14
Bounded Model-Checking of software while() loops are unwinded iteratively Assertion my be inserted after last iteration: violated if program runs longer than bound permits void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond if(cond) { Body; Body; cond if(cond) { assert(FALSE); } Rest; } void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond if(cond) { Body; Body; cond if(cond) { assert(FALSE); } Rest; }
15
Bounded Model Checking - First impression… First experiments with BMC in the industry showed that it is rarely faster than model checkers, unless k is very small. But: Model checkers enjoyed more than 10 years of R&D….
16
The Davis-Putnam procedure Given k in CNF: (x,y,z),(x,y),( : y,z),( : x, : y, : z) Decide() Deduce() ( ~1000) Diagnose()
17
Tuning SAT for BMC 1.Restrict Decide() to a small set of variables 2.Use the variable dependency graph for smarter orderings 3.Exploit (k)’s structure to restrict the state-space: Learn more by exploiting the symmetry of (k) Reuse information between the SAT instances
18
1. Restricting Decide() Restricting Decide() to a smaller set of variables that uniquely determines the satisfiability of (k): Model variables (~ 15 % of (k)’s variables) Input variables (~ 5 % of (k)’s variables) Less variables to Decide() implies more variables to Deduce()
19
For a general CNF formula, Dynamic strategies are typically better: Most Frequent in unsatisfied clauses (DLCS) Satisfies the most clauses (DLIS) Satisfies the most shortest clauses (MOM, JW) Conflict Driven (VSIDS) : 2. Variable ordering Q: How well do they work with BMC formulas ?
20
A (CNF) dependency graph D (V,E): A partitioning C 1..C n : An abstract dependency graph D’(V’, E’): 2. Variable ordering (Abstract dependency graphs)
21
For (k) there exists a partition C 1..C n s.t. the abstract dependency graph is linear C0C0 C1C1 C2C2 CkCk C3C3 C k-1 V0V0 V1V1 V2V2 VkVk V3V3 V k-1... 2. Variable ordering (The natural order of (k))
22
I0I0 ~Pk~Pk With general-purpose Decide() strategies, local sets of variables are satisfied a-synchronically 2. Variable ordering
23
General-purpose Vs. tailor-made Decide() strategies... :... (x 5 = ( y 4 z 5 u 4 )) ... x 5 = T y 4 = F z 5 = F u 4 = T General purpose Back- track x 5 = T y 4 = F z 5 = F u 4 = T Use ‘s structure to resolve conflicts on a more local level... Tailor made Back- track
24
I0I0 PkPk Riding on unreachable states... k should satisfy I 0 I0I0 Riding on legal executions... (k) should satisfy P k PkPk 2. Variable ordering (simple static ordering)
25
Given an order, guess a value Dynamic decision Constant value Previous value ‘Flat’ computation ... Previous value x 2 = 1 y 7 = 0 z 2 = 0 y 3 = 1 x 2 = 0 y 7 = 0 z 2 = 0 y 3 = 1
26
Can this regularity be used to speed up the search ? 3. Exploiting (k)’s structure
27
Conflict clauses is the main mechanism for learning If (x 3 =1, y 7 = 0, z 5 = 1 ) leads to a conflict, add the conflict clause C: ( x 3 y 7 z 5 )
28
3. Exploiting (k)’s structure (Replicated clauses) If x 3 =1, y 7 = 0, z 5 = 1 leads to a conflict, then so will x 2 =1, y 6 = 0, z 4 = 1 Therefore, we can also add: ( x 2 y 6 z 4 ) … ( x 0 y 4 z 2 ) and... ( x 4 y 8 z 6 ) … ( x k-4 y k z k-2 ) Yet, (k) is not fully symmetric because of I 0. Check whether the clauses that caused the conflict include I 0 variables.
29
4. Exploiting (k)’s structure (Reusing clauses) When can a conflict clause C that was learned while solving (k) be reused for solving (k+1)? Answer: all clauses that together implied C are in (k) Å (k+1) All clauses except the property are in (k) Å (k+1)
30
Results (Sec.) * * * = exceeds 10,000 sec. )Today, Chaff solves all in 7 minutes…)
31
Results (sec.)
32
The Conclusion The original conclusion (2000): Many models that cannot be solved by BDD symbolic model checkers, can be solved with the optimized SAT Bounded Model Checker. The other direction is true as well Today: BMC with SAT is dominant in finding shallow errors. BDD-based procedures are mainly used for proving their absence.
33
How big should k be? For every model M and LTL property there exists k s.t. The minimal such k is the Completeness Threshold (CT)
34
How big should k be? Diameter d = longest shortest path from an initial state to any other reachable state. Recurrence Diameter rd = longest loop-free path. rd ¸ d d = 2 rd = 3
35
How big should k be? Theorem: for Gp properties CT = d s0s0 pp Arbitrary path
36
How big should k be? Theorem: for Fp properties CT= rd s0s0 pp pp pp pp pp Open Problem: The value of CT for general Linear Temporal Logic properties is unknown
37
The General case Buchi automata B: h S,S 0, ,F,L i S - States S 0 µ S - Initial states µ S £ S - Transition relation F µ S - Accepting set L: S ! 2 AT - Labeling function Let inf(W) be the set of states visited infinite no. of times by a run W B accepts W iff there exists f 2 F s.t. inf(W) Å f ;
38
The General case Every LTL formula can be represented by a Buchi automaton B
39
LTL model checking Given M, , construct B LTL model checking: is : M £ B empty ? Emptiness checking: is there a path to a loop with an accepting state ? ! witness to G true with fairness constraint M ² iff is empty
40
LTL Bounded Model Checking “Unroll” k times Find a witness to Gtrue with the fairness constraint s0s0 f
Similar presentations
